10 identity management metrics that matter

Monitoring these key identity and access management numbers will help you evaluate the performance of your IAM solution.

A changing data landscape, the proliferation of credential-based threats, and a tougher regulatory environment is creating pressure for organizations to deploy identity and access management (IAM) systems, even though the systems can be a bear to get right.

The breadth of cooperation needed for success. Every constituency in an organization needs to be involved in the review, approval and operational deployment of the system. "IAM touches virtually every facet of an organization from the CEO to the intern, and given how generally difficult it is to install, integrate and operate, it requires considerable sustained labor and lengthy periods of deployment," notes Jack Mannino, CEO of nVisium, an applications security provider.

A myopic focus on technology. "Organizations tend to quickly focus on the technology, rather than keeping focus on the humans that will use it," observes Joseph Carson, a chief security scientist with Thycotic, a provider of privileged account management solutions. "That will create employee friction and poor adoption that will hinder deployments or delay."

A messy infrastructure. The infrastructure of many organizations can be spread across multiple physical and virtual locations and is often misunderstood and misconfigured. "IAM initiatives are difficult to deploy because of the chaos that is the modern-day enterprise. The foundation IAM needs to stand on is fundamentally broken," maintains Adam Laub, CMO of Stealthbits, a cybersecurity software company.

The importance of identity governance

Despite these challenges, companies continue to spend on IAM systems. Market research company IDC estimates the IAM market grew nearly 7% over the last year to $8 billion and will continue to grow in the low double digits over the next several years. Among the drivers behind that growth will be digital transformation. "Despite all the excitement associated with digital transformation, at least 60% to 70% of all computing workloads are on-premises," says Jay Bretzmann, IDC research director for cybersecurity products. "When those workloads move, they're going to have to change their identity approach."

A fundamental building block of any organization's IAM strategy is identity governance and administration (IGA). If IGA is working as it should, it can improve the identity process, make compliance easier and reduce the risk of unauthorized access. "Without IGA it becomes very challenging to aggregate and correlate disparate identity and access rights data that is distributed throughout the IT landscape to enhance control over user access," says Henrique Teixeira, research director for identity and access management at Gartner, a research and advisory company.

"IGA is the discipline responsible for the administration-time decisions for creation, modification, and suspension of credentials, which is fundamental piece of enablement of other IAM initiatives, like access management and privileged access management," he adds.

Often governance is a must have to satisfy regulators. "The main reason most organizations start implementing IAM is to meet some compliance or regulatory need," notes Thycotic's Carson.

Fausto Oliveira, principal security architect at Acceptto, a cybersecurity company focused on cognitive authentication, adds that a good governance system can contribute to better acceptance of an IAM solution. "Stakeholders have different views, objectives and problems when faced with a transformative project, like an IAM system," he says. "Proper governance ensures that this type of initiative leads to well-defined outcomes and that the issues and challenges raised by the various stakeholders are addressed, remediated, or explained in a way that encourages adoption."

Identity metrics that matter

Once an IAM system has been deployed, it's important to monitor its effectiveness through the use of metrics. Monitoring is important not only to the managers of the system, but also to its stakeholders, who are just about everyone. Here are 10 key metrics to which you should pay close attention.

Password resets

"Next to compliance, password resets are the reason people start justifying new identity investments," IDC's Bretzmann says. "In some organizations, you've got seven to ten people resetting their passwords on a weekly or monthly basis."

He estimates that a reset can cost an organization anywhere from $10 to $70. "Imagine doing that for half your workforce every month," he observes.

Distinct credentials per user

The more credentials an employee needs to remember, the more likely they'll take shortcuts that can jeopardize security. "The number of applications people are dealing with has risen from ten to more than 50," Bretzmann says. "Employees can't juggle all those passwords so they start reusing them."

"You'll see attackers do credential stuffing," he continues, "and use a stolen password on a bunch of applications because the chances it will work more than once are pretty good."

Uncorrelated accounts

Also known as orphan accounts, uncorrelated accounts often occur when there's a change in an employee's status, typically when they leave the company. A good IAM system should be able to identify such accounts because they'll display an abnormal amount of inactivity. It's important to close them down because they pose a security risk. "They're ripe for attack if they're not controlled," warns Morey Haber, CTO of BeyondTrust, a maker of privileged account management and vulnerability management solutions.

"Many IAM programs have achieved a high level of proficiency in provisioning access to resources," adds Stealthbits’ Laub. "Few, in comparison, have achieved the same level of proficiency in removing access in a complete fashion or transferring access rights when job assignments change."

Percentage of owned resources

Resources without an owner pose a threat similar to orphan accounts. "Having identified, assigned and certified ownership over any given resource is an indication that the resource is actually in a governable state," explains Laub. "In order to facilitate an entitlement review or self-service access request, a resource owner must be present to facilitate the transaction. Resources without owners represent a gap."

New accounts provisioned

It's important to review these accounts because they're often over-provisioned. "The reason they do that is that they're not really sure which systems the employee may need," Bretzmann explains. "If I hire someone and I prevent them from doing their work, shame on me. We should allow people to do the tasks that we hired them to do. If you give them access to nothing, and they have to ask for access all the time, you overload the help desk. That's expensive and can lead to delays."

An IAM system can monitor new accounts and determine which privileges an employee is using and recommend to an administrator those privileges that are not being used and should be removed.

Average time to provision a user

The longer it takes to provision a new user or a changed user, the greater the hit on that user's productivity. The longer it takes to deprovision an employee, the longer a potential attack vector is exposed. "Deprovisioning employees leaving a company is a huge problem," BeyondTrust's Haber says. "I recently checked my account with a company I left 18 years ago, and it was still active."

Automation can help with reducing the time it takes to provision and deprovision employees. "Once I understand a role tightly, I can have a robot do all the provisioning or deprovisioning for me," Bretzmann explains. "But you've got to have your roles defined correctly, because if you don't, the robot can open your environment to all types of exposures."

Privileged accounts without an owner

"This a huge problem and a primary attack vector," Haber says. "Once one of these accounts is compromised, a hacker has the keys to the kingdom."

Managing privileged accounts has become such a problem, it has spawned a whole subcategory of solutions. Called privileged access management (PAM), it seeks to impose tight control and documentation of privileged access.

A central component to PAM is password vaulting. When a privileged user needs to exercise their privileges, they check out a password from the vault and everything done with that password until it's returned to the vault is logged. "That allows me to know not only who had administrative access, but what they did, which allows me to pass compliance audits much easier than if I didn't have a PAM solution," Bretzmann explains.

Separation-of-duty violations

Policies should be formulated by one party and approved by another. Good policy software will flag violations of that rule. "It's a check and balances thing," Bretzmann says. "You don't want the person defining the policy to have the ability to approve its execution."

Access privilege reviews

Because access privileges are always in flux and often over-privileged, it's important to understand which permissions are in use, which are effective, and which are not used on a regular basis.

"Tracking such permissions on a regular basis and automating analysis through correlation, notification and proactive protection is important since most breaches in the cloud occur when attackers are able to operate with elevated privileges by compromising access keys or credentials and pivoting laterally through the IT ecosystem," notes nVisium's Mannino.

Number of machine identities used

A factor contributing to the complexity of modern identity management is that not only do humans have identities and access to network resources, machines do, too. "We are somewhat successful protecting human identities because organizations spend over $10 billion on IAM programs focused on human identities," says Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, a maker of a platform to protect digital keys and certificates.

"However," he continues, "the same organizations spend very little protecting machine identities. The bad guys know this, and they are targeting the digital keys and certificates machines use to authorize machine-to-machine connections and communications."

Key metrics can not only give an organization a good idea how its IAM solution is performing, but help it plan for the future by allowing it to continually evaluate its systems. As Tim Wade, the technical director of CTO team at Vectra Networks, a provider of automated threat management solutions, notes, "Organizations investing in IAM must be prepared to iteratively review the effectiveness of the initiative and adapt to emerging requirements by creating, modifying and retiring prior processes."